Most importantly, Senator Leahy’s bill covers more types of data than other federal data breach proposals. The majority of data breach bills only cover financial data, information related to someone’s financial data, or data traditionally considered personal, such as social security, driver’s license, or phone numbers — data sets that are by and large already covered by existing state law. For example, the Data Security and Breach Notification Act, introduced by Representative Marsha Blackburn, is limited to traditionally “personal” types of data (driver’s license number, passport number, phone number, etc) and financial account numbers or unique account identifiers required for someone to obtain a “thing of value”. Mr. Leahy’s bill covers these data sets as well asother types of data like pictures and video stored in the cloud. So if iCloud is hacked, for example, you’d be notified under Senator Leahy’s bill, but likely not notified under the majority of other bills before Congress. For most consumers, this would be a new (and valuable) protection.

The bill also limits preemption so that states can continue to innovate on data breach laws to provide their residents with enhanced protections

The bill also limits preemption so that states can continue to innovate on data breach laws to provide their residents with enhanced protections. A national data breach standard may make sense on one hand: having multiple, inconsistent laws for when to notify consumers of a breach could be difficult for companies to implement. However, consumer protections would be significantly set back if the federal standard preempts significantly stronger state laws, or stops states from responding to emerging threats by passing new notification requirements. Much of the concern surrounding federal data breach notification bills before Congress is focused on the preemptive effect many of these proposals would have on state laws. For example, the preemption provision in the Blackburn bill would prevent states from continuing to enforce or passing any law that addresses data security and/or breach notification — even for data sets not addressed by the federal bill. This bill was opposed by CDT and other consumer advocacy organizations in a joint letter to the Energy & Commerce Committee.

Senator Leahy’s Online Consumer Privacy and Data Security Act is a welcomed exception to this and other bills in Congress that have a similar preemptive effect. Senator Leahy’s preemption provision even allows states to pass additional requirements for data covered by his bill, just as HIPAA allows states to pass additional protections for covered health information.

Senator Leahy’s bill also requires companies to always notify of a security breach, as opposed to only requiring notification once a specific harm has resulted or could result from the breach. CDT has previously written about the importance of not requiring that an objective harm (a “harm trigger”) be identified prior to notification. Harm triggers only increase the chance that you wont be notified of hacks, because many of these hacks won’t fit within the law’s definition of harm. Harm triggers also diminish the company’s incentive to improve its data security practices because they can get out of having to let customers know about certain breaches. Unfortunately, a number of bills in the House and Senate include harm triggers, (which are generally focused on financial harm alone), including Senators Carper and Blunt’s bill, Senators Kirk and Gillibrand’s bill, and the Reps. Blackburn and Welch’s bill. Given Senator Leahy’s broadened application to online accounts, the removal of a harm trigger especially makes sense — companies shouldn’t be obligated to go through breached accounts to make a determination of how sensitive the exposed data might be. Instead, they should simply let consumers know if they think their personal information has been compromised.

Other points worth noting: Leahy’s bill has a shorter notification period than many federal data breach proposals (“as expediently as possible and without unreasonable delay” as opposed to 30-60 days). Mr. Leahy’s bill also sets the cap for penalties at $5 million, which is higher than other federal bills that include a cap. (We’re not convinced such a cap is necessary, as it would limit enforcers’ ability to deter the biggest actors.) It should also be noted that Senator Leahy’s bill includes provisions that could amend existing federal law to give the government authority to obtain civil injunctions against conduct that it alleges would violate part of the federal anti-hacking statute, the Computer Fraud and Abuse Act (CFAA). Specifically, Leahy’s bill would allow the government to obtain civil injunctions to compel companies to take unspecified actions against individuals that intentionally cause damage to computers in violation of 18 USC 1030(a)(5) – such as individuals commanding botnets to perform denial-of-service attacks. Leahy’s bill also requires that any action the companies take (read: hacking) under the injunction can only affect the violators, but the companies would be shielded from liability for the effects of their actions. While this provision was clearly crafted to be narrow and avoid collateral damage to innocent computer users, CDT continues to have reservations about governments compelling or allowing companies to “hack back” against troublesome computers. If this bill is going to reform the CFAA, we’d prefer an effort to constrain some of its more egregious provisions rather than extending its scope.

Despite this flaw, however, CDT enthusiastically supports Senator Leahy’s effort to reform federal data breach notification law. Given growing concerns around recently introduced data breach bills, we think it’s critical that strong alternatives are proposed and backed in Congress in the weeks to come. We believe Senator Leahy’s bill will provide that alternative and we hope others in Congress will support his effort.